Table Of ContentSecurity for
Service Oriented
Architectures
OTHER INFORMATION SECURITY BOOKS FROM AUERBACH
Advances in Biometrics for Secure Human Intrusion Detection Networks:
Authentication and Recognition A Key to Collaborative Security
Dakshina Ranjan Kisku, Phalguni Gupta, Carol Fung and Raouf Boutaba
and Jamuna Kanta Sing (Editors)
ISBN 978-1-4665-6412-1
ISBN 978-1-4665-8242-2
Iris Biometric Model for Secured
Anonymous Communication Networks:
Network Access
Protecting Privacy on the Web
Franjieh El Khoury
Kun Peng
ISBN 978-1-4398-8157-6 ISBN 978-1-4665-0213-0
Automatic Defense Against Zero-day Managing Risk and Security in Outsourcing
Polymorphic Worms in Communication IT Services: Onshore, Offshore and the Cloud
Networks Frank Siepmann
Mohssen Mohammed and Al-Sakib Khan Pathan ISBN 978-1-4398-7909-2
ISBN 978-1-4665-5727-7
PCI Compliance: The Definitive Guide
Conflict and Cooperation in Cyberspace:
Abhay Bhargav
The Challenge to National Security
ISBN 978-1-4398-8740-0
Panayotis A. Yannakogeorgos and Adam B. Lowther
ISBN 978-1-4665-9201-8 Responsive Security: Be Ready to Be Secure
Conducting Network Penetration and Meng-Chow Kang
Espionage in a Global Environment ISBN 978-1-4665-8430-3
Bruce Middleton
Security and Privacy in Smart Grids
ISBN 978-1-4822-0647-0
Yang Xiao
Core Software Security: ISBN 978-1-4398-7783-8
Security at the Source
Security for Service Oriented Architectures
James Ransome and Anmol Misra
ISBN 978-1-4665-6095-6 Walter Williams
ISBN 978-1-4665-8402-0
Data Governance: Creating Value from
Information Assets Security without Obscurity: A Guide to
Neera Bhansali Confidentiality, Authentication, and Integrity
ISBN 978-1-4398-7913-9 J.J. Stapleton
Developing and Securing the Cloud ISBN 978-1-4665-9214-8
Bhavani Thuraisingham
The Complete Book of Data Anonymization:
ISBN 978-1-4398-6291-9
From Planning to Implementation
Effective Surveillance for Homeland Security:
Balaji Raghunathan
Balancing Technology and Social Issues
ISBN 978-1-4398-7730-2
Francesco Flammini, Roberto Setola,
and Giorgio Franceschetti The Frugal CISO: Using Innovation and
ISBN 978-1-4398-8324-2 Smart Approaches to Maximize Your
Enterprise Architecture and Information Security Posture
Assurance: Developing a Secure Foundation Kerry Ann Anderson
James A. Scholz ISBN 978-1-4822-2007-0
ISBN 978-1-4398-4159-4
The State of the Art in Intrusion Prevention
Information Security Fundamentals,
and Detection
Second Edition
Al-Sakib Khan Pathan
Thomas R. Peltier
ISBN 978-1-4822-0351-6
ISBN 978-1-4398-1062-0
Trade Secret Theft, Industrial Espionage,
Intrusion Detection in Wireless Ad-Hoc
Networks and the China Threat
Nabendu Chaki and Rituparna Chakiv Carl Roper
ISBN 978-1-4665-1565-9 ISBN 978-1-4398-9938-0
AUERBACH PUBLICATIONS
www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: orders@crcpress.com
Security for
Service Oriented
Architectures
Walter Williams
CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business
No claim to original U.S. Government works
Version Date: 20140404
International Standard Book Number-13: 978-1-4665-8404-4 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made
to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all
materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all
material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not
been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any
future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in
any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, micro-
filming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.
copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-
8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that
have been granted a photocopy license by the CCC, a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identi-
fication and explanation without intent to infringe.
Visit the Taylor & Francis Web site at
http://www.taylorandfrancis.com
and the CRC Press Web site at
http://www.crcpress.com
Contents
Preface ix
In GratItude xi
chaPter 1 IntroductIon 1
chaPter 2 four KInds of archItectures 3
2.1 Architecture 3
2.2 infrastructure 4
2.3 Software Architectures 9
2.3.1 Key Principles 10
2.3.2 Presentation Layer 13
2.3.3 Business Layer 15
2.3.4 Data Layer 16
2.3.5 Workflow 19
2.3.6 Communications and Messaging 20
2.3.7 Service Layer 21
2.4 Service-Oriented Architecture 22
2.4.1 Distributed Computing and Services 23
2.4.2 Process-Oriented SOA 25
2.4.3 Web Services or an Externally Focused SOA 27
2.4.4 Enterprise Service Bus 30
2.5 Security Architecture 30
2.5.1 Construction of a Security Architecture 33
2.5.2 Risk Management 34
2.5.3 Organization and Management 36
2.5.4 Third Parties 37
2.5.5 Asset Management 38
v
vi Contents
2.5.6 information Classification 39
2.5.7 identity Management 41
2.5.8 Security Awareness and Training 44
2.5.9 Physical Security 44
2.5.10 Communications and Operations Management 45
2.5.11 Perimeters and Partitioning 46
2.5.12 Access Control 48
2.5.13 Authentication 48
2.5.14 Authorization 50
2.5.15 Separation of Duties 51
2.5.16 Principles of Least Privilege and Least Authority 51
2.5.17 Systems Acquisition, Development, and
Maintenance 52
2.5.18 Confidentiality Models 52
2.5.18.1 Lattice Models 52
2.5.19 Nonrepudiation 53
2.5.20 integrity Models 53
2.5.21 Service Clark–Wilson integrity Model 54
2.5.22 Security Assessments and Audits 58
2.5.23 incident Management 58
2.5.24 Business Continuity 59
2.5.25 Compliance 60
2.6 Data Architectures 61
chaPter 3 ImPlementInG and securInG soa 65
3.1 Web Services 65
3.2 Extensible Markup Language 66
3.2.1 Signing xML 68
3.2.1.1 xML Digital Signature 68
3.2.2 xML Encryption 74
3.2.3 Key Management 79
3.2.3.1 Key information 79
3.2.3.2 Location 79
3.2.3.3 Validation 80
3.2.3.4 Binding 80
3.2.3.5 Key Registration 80
3.2.4 xML and Databases 82
3.2.4.1 A Database Query Language for xML 82
3.2.4.2 xML Databases 83
3.2.5 UDDi 83
3.2.6 WSDL 84
3.3 SOAP 87
3.3.1 SOAP Roles and Nodes 89
3.3.2 SOAP Header Blocks 90
3.3.3 SOAP Fault 90
3.3.4 SOAP Data Model 91
3.3.5 SOAP Encoding 91
Contents vii
3.3.6 Bindings 92
3.3.7 Documents and RPC 93
3.3.8 Messaging 95
3.4 WS-Security 99
3.4.1 WS-Trust 107
3.4.2 WS-Policy 116
3.4.3 WS-SecureConversation 129
3.4.4 WS-Privacy and the P3P Framework 133
3.4.4.1 POLiCiES 135
3.4.5 WS-Federation 144
3.4.5.1 Pseudonyms 153
3.4.5.2 Authorization 162
3.4.6 Authorization without WS-Federation 173
3.4.7 WS-Addressing 178
3.4.8 WS-ReliableMessaging 183
3.4.9 WS-Coordination 191
3.4.10 WS-Transaction 193
3.5 SAML 195
3.5.1 Assertions 197
3.5.2 Protocol 205
3.5.2.1 Assertion Query and
Request Protocol 207
3.5.2.2 Authentication Request Protocol 209
3.5.2.3 Artifact Resolution Protocol 212
3.5.2.4 N ame identifier
Management Protocol 212
3.5.2.5 Single-Logout Protocol 213
3.5.2.6 Name identifier Mapping Protocol 214
3.5.3 Authentication Context 214
3.5.4 Bindings 218
3.5.5 Profiles 226
3.5.6 Metadata 229
3.5.7 Versions 240
3.5.8 Security and Privacy Considerations 241
3.6 Kerberos 244
3.7 x509v3 Certificates 246
3.8 OpeniD 246
chaPter 4 Web 2.0 249
4.1 HTTP 249
4.2 REST 250
4.3 WebSockets 251
chaPter 5 other soa Platforms 253
5.1 DCOM 253
5.2 CORBA 253
5.3 DDS 254
viii Contents
5.4 WCF 255
5.5 .Net Passport, Windows LiveiD 256
5.6 WS-BPEL 257
chaPter 6 audItInG servIce-orIented archItectures 271
6.1 Penetration Testing 272
6.1.1 Reconnaissance 272
6.1.2 injection Attacks 277
6.1.3 Attacking Authentication 278
6.1.4 Attacking Authorization 284
6.1.5 Denial-of-Service Attacks 286
6.1.6 Data integrity 286
6.1.7 Malicious Use of Service or Logic Attacks 288
6.1.8 Poisoning xML Schemas 289
chaPter 7 defendInG and detectInG attacKs 291
7.1 SSL/TLS 291
7.2 Firewalls, iDS, and iPS 294
chaPter 8 archItecture 297
8.1 Example 1 297
8.2 Example 2 300
8.3 Example 3 305
8.4 Example 4 307
bIblIoGraPhy 317
Index 323
Preface
As applications become more complex and distributed, it is increasingly
important that security be considered during the design phases. While
there are a lot of books and articles on point solutions that would flow
from this integration, such as threat profiling and how to block injec-
tion attacks, there is more to consider in the design of an application
than how to leverage some of the excellent tools that have been devel-
oped to enhance the security of our applications.
Applications, especially those that are distributed across corporate
boundaries, benefit from being developed within a comprehensive
design or an architecture. While there is a lot of literature on how
to develop these software architectures and service-oriented architec-
tures (SOAs), their treatment of security is focused on the use of tools
within the architecture.
information security also benefits from an architecture. However,
traditional security architectures are most often focused on infra-
structure and consider software as no more than applications that
require integration into the policies and standards of an organization,
leveraged within approved procedures.
This volume seeks to provide both security and software architects
with a bridge between these two architectures, with the goal of pro-
viding a means to develop software architectures that leverage secu-
rity architectures.
ix
